Hello,
I don't understand why i have a cookie filled in my response header while i use JWT Bearer Authentication. And i can't find way how to configure correctly.
When I authenticate on my webAPI, in my reponse i have :
Set-Cookie: .AspNetCore.Identity.Application=CfDJ8KKk9DCF-3ZMv5e0QMpwpsulx6nT_6d68JTe0a8VPBM ...; path=/; samesite=lax; httponly
api-supported-versions: 1
My startup look like this :
Configure :
app.UseAuthentication();
app.UseMvc();
ConfigureServices :
services.Configure<IdentityOptions>(options =>
{
// Password settings
options.Password.RequireDigit = true;
options.Password.RequiredLength = 16;
options.Password.RequireNonAlphanumeric = true;
options.Password.RequireUppercase = true;
options.Password.RequireLowercase = true;
// User settings
options.User.RequireUniqueEmail = true;
});
// Add framework services.
services.AddEntityFrameworkNpgsql()
.AddDbContext<ApplicationDbContext>(options => options.UseNpgsql(Configuration.GetConnectionString("ConnectionString")));
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new AuthenticationConfiguration(Configuration).JwtTokenValidationParameters;
options.SaveToken = true;
});
And for authenticate i use :
var result = await _signInManager.PasswordSignInAsync(username, password, false, lockoutOnFailure: false);
Is there a way to have no cookie in my response header ?
Thx
See https://github.com/aspnet/Identity/issues/1376
With JWT you will have to manage the authentication yourself.
Yep, dupe of #1376
@hey-red @HaoK What do you mean by:
With JWT you will have to manage the authentication yourself.
I can't use _signInManager.PasswordSignInAsync anymore? what is the alternative?
@jcmordan
You can achieve it like this:
```C#
var user = await _userManager.FindByNameAsync(userName);
if (user == null)
{
return BadRequest("Invalid credentials");
}
var result = await _signInManager.CheckPasswordSignInAsync(user, password, true);
if (!result.Succeeded)
{
return BadRequest("Invalid credentials");
}
// Create token with user claims..
```
@hey-red Thx, using CheckPasswordSignInAsync solved my problem.
Most helpful comment
@jcmordan
You can achieve it like this:
```C#
var user = await _userManager.FindByNameAsync(userName);
if (user == null)
{
return BadRequest("Invalid credentials");
}
var result = await _signInManager.CheckPasswordSignInAsync(user, password, true);
if (!result.Succeeded)
{
return BadRequest("Invalid credentials");
}
// Create token with user claims..
```